If the Data Owner requires it, the A10 Networks ADC must be configured to perform CCN Mask, SSN Mask, and PCRE Mask Request checks.
An XCCDF Rule
Description
<VulnDiscussion>If outbound communications traffic is not continuously monitored, hostile activity may not be detected and prevented. Output from application and traffic monitoring serves as input to continuous monitoring and incident response programs. The A10 Networks ADC can be configured to mask data traversing outbound through the device. This is useful in preventing data exfiltration. If any data must be masked before it leaves the enclave (such as Credit Card Numbers, Social Security Numbers, or other sensitive information), a WAF template can be configured with CCN Mask, SSN Mask, and PCRE Mask Request checks. The Mask Request check depends on what information must be masked. This includes using Perl Compatible Regular Expressions (PCRE) for custom masks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-237061r639630_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Review the system or enclave documentation and confer with the data owner(s) if necessary. If any data must be masked before it leaves the enclave (such as credit card numbers, Social Security numbers, or other sensitive information), configure the CCN Mask, SSN Mask, and PCRE Mask Request checks.
These checks are applied to a WAF template.
The following command replaces all but the last four digits of credit card numbers with an “x” character:
ccn-mask